Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Wednesday May 1st,
0:02
2020 4 edition of the Sans and I'd
0:04
storm centers
0:07
stormcast. My name is Johannes Ulrich
0:10
and today I'm recording from Jacksonville,
0:12
Florida. Came
0:15
across yet another attack
0:17
against NAS devices today.
0:19
This time that target
0:21
is Cyccell NAS 326.
0:24
Interestingly that this a little bit an older
0:26
vulnerability it was first described including
0:29
a proof of concept late last
0:31
year I think it was November
0:34
and haven't really seen any
0:36
exploit attempts for this vulnerability so
0:39
far but yes we
0:41
are seeing exploit attempts now so
0:43
far just from one
0:45
IP address and it's attempting
0:47
to download then script
0:50
and run it sadly haven't
0:52
been able yet to recover
0:54
this particular script that is
0:56
being attempted to be uploaded
0:58
here could be that they only
1:00
really make it accessible to IP
1:02
addresses to which they just attempted
1:04
to upload the script to so
1:07
there could be some firewall blocking going
1:09
on there or maybe we are a
1:12
little bit too late here since this
1:14
started a couple days ago and this
1:16
malicious second stage was already removed again
1:19
there's an older vulnerability so
1:21
hopefully you got your systems
1:23
already patched for this particular
1:25
problem actually two different problems that
1:27
sort of contribute here to it the reason it sort
1:29
of stuck out to
1:31
me a little bit when I
1:34
saw it was the odd URL
1:36
format where it's slash CMD comma
1:38
and then the remainder of
1:40
the URL it's a post request and
1:43
then the actual payload looks like it's
1:45
sort of trying to install some kind
1:47
of package here
1:49
and then passing as
1:52
a standard command injection
1:54
this additional payload parameter
1:57
and if you ever talked to a
1:59
data scientist a lot of their work
2:01
in particular when it comes to machine learning.
2:03
Of course, these days AI, well,
2:07
that is often done using the
2:09
language R. R
2:11
was designed around statistical computing,
2:13
so it's very well versed
2:15
in things like data visualization
2:18
and machine learning does
2:20
not typically allow the execution
2:22
of sort of arbitrary operating
2:24
system commands and such, but
2:26
hidden layer and machine learning
2:28
AI security company did
2:30
find a de-serialization vulnerability in
2:33
R that actually can lead
2:35
to arbitrary code execution. Just
2:38
like with any language, much
2:40
of the code that you
2:42
are running in R is
2:45
actually downloaded from third-party repositories.
2:47
There's something called the Comprehensive
2:49
R Archive Network or C-RAN
2:51
that contains something like 20,000 packages
2:54
according to hidden layer and of
2:56
course there would be ample opportunity
2:58
for an attacker to offer
3:00
a malicious payload that
3:03
then takes advantage of this
3:05
de-serialization vulnerability. And the patch
3:07
was released with R version
3:10
4.4.0. And
3:14
talking about supply chain vulnerabilities, JFrog
3:17
has done some work with Docker
3:19
to identify
3:22
malicious Docker repositories.
3:25
On Docker Hub, you usually have
3:27
a short description of a particular
3:29
project and that
3:31
description may include links for,
3:34
for example, the documentation or
3:36
such of the project. What
3:38
JFrog found that 20% of
3:43
the repositories on Docker
3:45
Hub are actually linking
3:47
to either spam or in some
3:50
cases some outright malicious content. Also
3:52
interesting here is that these repositories
3:54
don't even bother to actually publish
3:57
a Docker image. That's
3:59
sort of the optional. It's really sort
4:01
of the concept of a Docker Hub.
4:03
It's really some of what is collaborative
4:05
platform. So user legitimately
4:07
may set up a repository and
4:09
then never ever publish actually an
4:11
image to it. But in
4:14
this case it appears that these particular
4:17
repositories were only set up
4:19
in order to redirect victims
4:22
to their malicious websites. In
4:24
some cases just some simple
4:27
spam like typical sort
4:29
of pill mill kind of stuff. See
4:32
if a broken Docker identified 2.8 million repositories
4:35
that follow this pattern and of
4:38
course have removed them by now.
4:41
And if you have been the
4:43
IT industry for a while you
4:45
probably noticed the trend that any
4:48
standard being used for direct attached
4:50
storage will eventually be exposed over
4:53
the network. It was of course
4:55
with SCSI and iSCSI then the
4:57
case well it's now the case
5:00
with NVMe or as they're now
5:02
calling it NVMe over fabric which
5:05
then can become NVMe over TCP.
5:08
Given the increased speed of networks
5:11
in the hundred-gigabit range and the
5:13
like it the invisions
5:16
that you have this
5:18
pool of NVMe drives
5:20
that are directly accessible
5:22
over the network. Security
5:25
company Cyberarc now took its
5:27
sys caller of faster in
5:30
order to test the
5:32
NVMe over a TCP implementation
5:35
in the Linux kernel. Shouldn't
5:37
be a huge surprise but
5:40
they found five different
5:42
vulnerabilities. And with
5:44
these drivers running
5:46
as kernel modules these vulnerabilities
5:49
then may lead to a
5:52
remote code execution in
5:54
the kernel. Kind of nice that
5:56
these bugs were found pretty early
5:58
sort of in the uses. cycle
6:00
of NVMe over TCP.
6:02
So I hope that
6:05
much of this will be fixed before
6:07
it becomes too much of a problem.
6:10
Of course many of these protocols are
6:12
not necessarily sort of designed for the
6:14
open Internet. Well
6:17
that is it for today. Thanks
6:19
for listening. If you like this
6:21
podcast please tell your friends about
6:24
it. Remember it's available via YouTube,
6:26
via your Amazon Echo and
6:29
of course in all of
6:31
the major podcast platforms. Thanks
6:33
and talk to you again
6:35
tomorrow.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More